[00:00.000 --> 00:06.600]  Hello and welcome back to the seventh year of the Industrial Control System Village,
[00:06.600 --> 00:15.000]  the ICS Village at DEF CON. We're really excited this year because, one, we made it. This was a
[00:15.000 --> 00:20.640]  more difficult year for us than past years because all of those ranges, all of that industrial
[00:20.640 --> 00:24.700]  control system equipment that you've seen in the past, we had to figure out how to get it
[00:24.700 --> 00:31.860]  completely virtualized for you. So I want to say thank you to Grim, who has been hosting a lot of
[00:31.860 --> 00:38.640]  our equipment for us. New this year, besides everything being virtualized for access for
[00:38.640 --> 00:44.840]  our CTF, the last two years our CTF, the winner, has won a black badge. So crossing our fingers,
[00:44.840 --> 00:52.860]  we can pull that off for a third time. No guarantees. The Department of Homeland Security
[00:52.860 --> 01:01.080]  CISA agency is going to be... they have some special range equipment that they have integrated into
[01:01.440 --> 01:07.380]  a part of our CTF. So there's going to be a lot more fun and a lot more challenges this year.
[01:07.380 --> 01:11.380]  We have a great lineup of speakers. One of the biggest things that we took advantage of this
[01:11.380 --> 01:17.420]  year with the conference being completely virtual was reaching out to get a lot of international
[01:17.420 --> 01:22.340]  speakers. So the kinds of folks that work in industrial control systems elsewhere in the world,
[01:22.340 --> 01:28.120]  that would not typically be able to make the trip to Vegas. So a lot more variety in international
[01:28.120 --> 01:33.480]  representation with the speakers. So really looking forward to that. Logistics for it this
[01:33.480 --> 01:39.320]  year, obviously you know about everything that's going on Discord at DEF CON with the ICS Village
[01:39.320 --> 01:46.260]  specific channels around that. Q&A will be done there. Some speakers will be doing Q&A for the
[01:46.260 --> 01:51.800]  live sessions. So live speaker sessions, Q&A will be in Zoom. Otherwise you can meet with the speakers
[01:51.800 --> 01:58.760]  in Discord. And check out and subscribe to our new channels in YouTube and Twitch, where we'll
[01:58.760 --> 02:07.560]  be streaming everything live to you. Have a great DEF CON. Our keynote for this year is the director
[02:07.560 --> 02:14.320]  of CISA, Chris Krebs, reflecting the continued collaboration between the agency and the Village
[02:14.320 --> 02:21.320]  with bringing education and more equipment to the community. This DEF CON, we are kicking off
[02:21.800 --> 02:28.840]  the first of many opportunities to bring real ICS to even more hackers to get to work with.
[02:28.840 --> 02:33.220]  So without further ado, Chris Krebs with the ICS Village keynote for DEF CON.
[02:35.660 --> 02:43.340]  Hey, hello out there. Welcome to DEF CON ICS Village Safe Mode. My name is Chris Krebs. I am
[02:43.340 --> 02:51.780]  the director of the U.S. Cyber and Infrastructure Security Agency. Today I'm going to tell you a
[02:51.780 --> 02:56.640]  little bit about what we've been doing over the last couple years, our approach to control systems,
[02:56.640 --> 03:02.860]  but more broadly, not just our approach, the things we're doing working with you and the community to
[03:02.860 --> 03:08.920]  improve control system cybersecurity out there across this great country and throughout the
[03:08.920 --> 03:14.890]  world. So I think what I want to start with is tell you a little bit about who we are, CISA,
[03:15.500 --> 03:20.540]  again, the Cyber and Infrastructure Security Agency, youngest federal agency
[03:21.440 --> 03:28.980]  coming up on our second birthday here, and talk to you a little bit about the threat landscape as
[03:28.980 --> 03:36.680]  we see it and tie it to a few actors out there that have been improving their capabilities.
[03:36.680 --> 03:42.460]  And then stitch that all up into a story of the things that we've identified as important and how
[03:42.460 --> 03:49.620]  we work with you and the rest of the ICS security community to actually achieve these objectives
[03:49.620 --> 03:59.340]  that we're all working day in, day out towards. So that, yeah, CISA, almost two years old now.
[03:59.600 --> 04:03.820]  We are a part of the Department of Homeland Security. We've been around in one way, shape,
[04:03.820 --> 04:09.860]  or form since the creation of the department, but the U.S. Congress gave us the authority
[04:09.860 --> 04:17.540]  to stand up as a separate operational component, like the Transportation Security Administration,
[04:17.540 --> 04:23.680]  you normally would have had to deal with if we were in Vegas, like last year and ideally next
[04:23.680 --> 04:32.700]  year. And FEMA, if you're paying attention to COVID or hurricane season, they're out in front.
[04:32.700 --> 04:39.260]  So that's where we come in. We're CISA. We are the nation's risk advisor as we style ourselves.
[04:39.260 --> 04:44.560]  But the concept here is to get an understanding of what the risk landscape looks like and how
[04:44.560 --> 04:49.340]  it intersects with the nation's critical infrastructure across a number of different
[04:49.340 --> 04:56.540]  lines of effort, but I tend to distill them down to five. First is traditional InfoSec.
[04:56.540 --> 05:06.020]  We are the home of U.S. CERT, and we have been working some aspect of InfoSec for two plus
[05:06.020 --> 05:13.320]  decades now. The second aspect or discipline is control system security. We are also home to ICS
[05:13.320 --> 05:19.520]  CERT and have been in this game for quite some time with varying levels of investment and
[05:19.520 --> 05:24.920]  capability, but we are fully committed to this mission. The third is supply chain security.
[05:24.920 --> 05:29.920]  Lots of activity on the supply chain front over the last couple years, particularly since I've
[05:29.920 --> 05:36.220]  been here, and really looking forward to building more capability and sight and maturity across the
[05:36.220 --> 05:41.420]  supply chain risk management discipline. And the last two pieces, insider threat,
[05:41.420 --> 05:47.900]  and this is more about that blending of close access operations, allowing an adversary into
[05:47.900 --> 05:53.460]  your network or into your perimeter that they can then combine with other techniques to achieve
[05:53.460 --> 05:58.720]  their objectives. And then lastly, physical security. So in this broader cybersecurity and
[05:58.720 --> 06:05.360]  infrastructure security space, we're also out there day in, day out conducting physical security
[06:05.360 --> 06:12.840]  assessments of facilities to help protect things like schools and hospitals right now,
[06:12.840 --> 06:19.420]  and places of worship. Back when sports start up again at larger scale and you can actually go
[06:19.420 --> 06:26.040]  attend the sporting event, assuming you like sports ball, we are out there helping the
[06:26.040 --> 06:31.740]  facility owners and operators understand how to best secure their facilities. So that's kind of
[06:32.470 --> 06:39.660]  the disciplines that we focus on. And we have a very different approach, I think, to engaging
[06:40.560 --> 06:44.940]  our stakeholders, our customers, as it were, than you might find in other parts of the federal
[06:44.940 --> 06:51.040]  government. They're usually persuasive hooks that agencies have, whether it's law enforcement
[06:52.600 --> 07:01.720]  authorities, or it's regulatory authorities, or they have money, things like that. We're in a
[07:01.720 --> 07:08.520]  public-private partnership business, and that's a kind of cliche thing to say, I think, certainly
[07:08.520 --> 07:18.180]  over the last 15 plus years. But we spend a lot of time listening. So it's not that old, tired,
[07:18.180 --> 07:23.280]  you know, we're from the government and we're here to help. It's more along the lines of,
[07:23.280 --> 07:27.280]  we're from the government, we're here to listen. We want to understand what your problems are,
[07:27.280 --> 07:33.880]  your challenges are, what your gaps are. We have certain advantages where, at the end of the day,
[07:34.560 --> 07:44.560]  profit and revenue is not our prime objective. We have the ability to overcome places where there's
[07:44.560 --> 07:50.680]  no legitimate business model for the private sector to chip in and contribute. So that's
[07:50.680 --> 07:56.080]  kind of a sweet spot for us. And of course, there are other aspects here. We have access to
[07:56.080 --> 08:01.300]  classified information. And when we know what the bad guys are trying to do, or, oh, I don't know,
[08:01.300 --> 08:09.580]  actually doing, we're able to distill that down and bring partners into the fight to counter those
[08:09.580 --> 08:20.440]  efforts. And so again, we're this public-private partnership, voluntary effort agency. I'm not
[08:20.440 --> 08:27.860]  going to lie, it's tough. When you really have to work that extra bit to understand what a partner's
[08:27.860 --> 08:33.980]  challenges are, and then go back and craft something that is going to help them, that takes
[08:34.120 --> 08:39.680]  a lot more work than I think some of the other authorities that other agencies have. But in
[08:40.360 --> 08:47.740]  a sense, it's also pretty darn easy if you listen the right way. If you listen to really what the
[08:47.740 --> 08:53.320]  challenges and the gaps are in the critical infrastructure community, whether it's on the
[08:53.320 --> 09:01.500]  Infosec side or the OT control system side, if you listen really hard, and you isolate the issue,
[09:01.500 --> 09:09.560]  and you address the issue and deliver some value, it's a self-fulfilling prophecy in terms of your
[09:09.560 --> 09:15.560]  ultimate success. So we, in a certain sense, are like the private sector, right? We're like an
[09:15.560 --> 09:22.720]  organization that has to develop the capability, turn it, do the market research, pull together a
[09:22.720 --> 09:30.340]  product lifecycle, have a team to deliver it to customers, and then have feedback and dial it in.
[09:30.340 --> 09:37.620]  So we very much have that private sector mentality. In that philosophy, that approach is in part why
[09:37.620 --> 09:45.340]  I'm here today, wherever here is. But that's why I'm here today. It's part of market research,
[09:45.340 --> 09:49.740]  it's part of engaging a community and understanding what the challenges are and
[09:49.740 --> 09:57.720]  how we can all work together to close out those gaps. And I honestly think,
[09:58.460 --> 10:05.580]  which means I'm not lying to you right now, I guess, that right now, the threat landscape,
[10:06.220 --> 10:13.440]  the bad guys out there doing bad things, is as active as I've ever seen it.
[10:14.000 --> 10:19.440]  And that's not to say that the bad guys out there haven't been doing bad things for a long time.
[10:19.620 --> 10:24.980]  2012, 2013, dating all the way back, we've seen, particularly in the control system space and the
[10:24.980 --> 10:32.720]  hard infrastructure space, really dramatic adversary activity. So go back and look at
[10:32.720 --> 10:38.440]  the 2019 Worldwide Threat Assessment. There's a very specific piece in there that talks about
[10:38.440 --> 10:46.460]  Chinese capabilities to disrupt pipelines, cause localized outages. That goes back several years.
[10:46.720 --> 10:53.180]  A couple years ago, the Russians, what we called at the time alien viper, but they absolutely
[10:53.180 --> 11:00.120]  targeted energy infrastructure. They went through the supply chain, they went through contractors,
[11:00.120 --> 11:05.420]  construction organizations in this case, they knew where they were wanting to go.
[11:06.080 --> 11:11.860]  And they used a range of capabilities, a range of accesses to get there.
[11:12.200 --> 11:20.080]  Even more recently, we, alongside the National Security Agency, issued an alert that was pretty
[11:20.080 --> 11:26.160]  clear and pretty stark in the terms of, if you have OT systems that touch the internet,
[11:26.160 --> 11:32.100]  you need to get them offline. You need to harden them. You need to protect them. You need to
[11:32.100 --> 11:37.880]  install or implement better email security measures because what we found is flat, unsegmented
[11:37.880 --> 11:45.040]  networks provides the adversary the ability to pivot off the business network into the OT networks.
[11:45.040 --> 11:53.820]  Again, these are very, very active targets for the bad guys. It's only a matter of time, as I
[11:53.820 --> 11:59.960]  think Dale Peterson said back in January down at S4, in an interview I did with him, that
[12:01.020 --> 12:09.620]  ransomware will come to the control system space. It's a matter of time. Let's get there before them.
[12:09.900 --> 12:17.980]  So our mindset has been going back to that general philosophy of the agency. How do we understand,
[12:17.980 --> 12:23.100]  how do we build a community of practice here? We're not the ones building it, to be clear.
[12:23.100 --> 12:31.200]  We want to be able to foster that community of practice. And so a year and a half or so ago now,
[12:31.200 --> 12:37.540]  when we came out of a pretty historic, not pretty, but a historic shutdown of the U.S.
[12:37.540 --> 12:44.740]  federal government, I laid out a series of priorities for this agency. First, half my
[12:44.740 --> 12:49.920]  budget goes, if you haven't checked and you don't, who looks at the federal government budgets,
[12:49.920 --> 12:57.780]  but half of my budget goes to federal cybersecurity. That's a big chunk of money, and so that's a top
[12:57.780 --> 13:02.740]  priority for me. What else is a top priority for me? Election security. Looking forward to
[13:02.740 --> 13:08.020]  participating, parts of my team participating in the voting village, DEFCON voting village as well.
[13:08.580 --> 13:16.060]  We're also doing physical security, as I mentioned, for crowded places and soft targets. But I think
[13:16.740 --> 13:23.440]  when we were sitting there as a team trying to identify the greatest areas for opportunity,
[13:23.440 --> 13:30.160]  the greatest areas for community progress, two things immediately jumped to mind,
[13:30.160 --> 13:38.440]  and they're related. Supply chain. Supply chain risk management is an untapped area
[13:38.440 --> 13:45.460]  that we are putting a significant amount of effort behind. But the last piece of care,
[13:45.460 --> 13:48.460]  of course, why I'm here today, industrial control systems. As I mentioned,
[13:48.460 --> 13:53.140]  we are the home of ICS CERT. It's a game that we've been playing for quite some time,
[13:53.140 --> 14:00.080]  and we are reinvigorating our partnerships, we're reinvigorating our investments,
[14:00.080 --> 14:08.740]  bringing and building a fantastic team. And our overall objectives is to be able to stitch
[14:08.740 --> 14:16.860]  together the U.S. government in support of industry and the control system security community.
[14:17.520 --> 14:23.500]  Together. That's it. Together. We're just working on doing this together. And so coming out of that
[14:23.500 --> 14:29.680]  shutdown, I challenged the team, said, tell me how we're going to do this. And of course,
[14:29.680 --> 14:34.960]  federal government agencies is what we do. We build strategies, right? So in July, we released
[14:34.960 --> 14:39.920]  our industrial control systems initiative, which is our strategy. It says, here are the things that
[14:39.920 --> 14:48.060]  we are aiming to accomplish. Here's the main thrust of activity. Now, you didn't come here
[14:48.060 --> 14:53.760]  today to hear me talk about a strategy about another federal government plan. Another, it's
[14:53.760 --> 15:01.620]  actually pretty tight in terms of page count, but that's not why we're here. But I do need to lay out
[15:01.620 --> 15:07.480]  what our objectives are and how we're going to do that. And then I'm going to tell you about
[15:07.480 --> 15:13.600]  the mechanisms we're using and some of the key implementation priorities. And that'll give you
[15:13.740 --> 15:21.280]  a sense of where we're going. Most importantly, how you can participate. Because together, to me,
[15:21.280 --> 15:26.060]  means one thing. And I mentioned it earlier this year at the industrial control systems
[15:26.060 --> 15:32.520]  joint working group that we had to do online, just like this. Our top line objective
[15:33.160 --> 15:40.300]  is to democratize industrial control systems security efforts. And what that means is making
[15:40.300 --> 15:48.440]  it open for everyone, bringing the community together. It's not about releasing products
[15:48.440 --> 15:55.100]  and tools and services that only a handful can afford. It's not about restricting access. It's
[15:55.100 --> 16:02.800]  about diversity. It's about inclusion. It's about democratizing security. That's what's
[16:02.800 --> 16:11.540]  behind our strategy. So real quick, the philosophy behind the strategy is about empowering you,
[16:11.540 --> 16:17.800]  empowering vendors and owners, operators, and integrators to make better risk management
[16:17.800 --> 16:24.680]  decisions. It's about informing your investments. It's about integrating the U.S. government
[16:25.560 --> 16:29.840]  and our partners in the intelligence community, Department of Defense and FBI. It's about
[16:29.840 --> 16:36.220]  integrating our efforts into yours. It's about moving to a proactive industrial control systems
[16:36.220 --> 16:45.160]  posture. And lastly, it's about driving towards a sustainable, long-lasting control systems
[16:45.160 --> 16:51.840]  security community. That's the top line. All right. How are we doing this? Pillars. We got
[16:51.840 --> 16:56.900]  four pillars. Every strategy's got to have pillars. We have four pillars. First pillar is
[16:56.900 --> 17:02.680]  asking more of the community, but doing more for the community from the federal government
[17:02.680 --> 17:11.020]  perspective as well. The second is advancing technology and the ability to secure our
[17:11.020 --> 17:19.460]  systems. Not just tomorrow's systems, but we have to figure out how to continue to defend today's
[17:19.460 --> 17:26.860]  deployments while thinking through the next generation and having more security baked in.
[17:26.860 --> 17:33.880]  Secure by design, secure by deployment. The third piece is developing deep data capabilities
[17:35.120 --> 17:43.680]  to better put our understanding of risks against the current deployments and
[17:43.680 --> 17:50.200]  building frameworks, building resources and approaches that take advantage of just this
[17:50.200 --> 17:56.820]  wealth of information we all have. Pull it all together and putting into meaningful frameworks.
[17:57.360 --> 18:03.320]  MITRE continues to lead in this space with the industrial control systems framework. Those are
[18:03.320 --> 18:12.040]  the types of activities and approaches that we look to be a part of. Not necessarily invent,
[18:12.040 --> 18:20.440]  not own, we just want to be a part of this effort. And lastly, increasing that risk understanding
[18:21.040 --> 18:28.120]  of the interdependencies that are out there so that we can drive smarter investments,
[18:28.120 --> 18:34.480]  smarter solutions, smarter engagements between the government and industry to get to that
[18:34.480 --> 18:41.440]  objective of democratizing control system security and making the environment safer and more secure.
[18:42.940 --> 18:47.760]  So it's those four pillars that drive our approaches. So what the heck are our approaches?
[18:47.760 --> 18:54.740]  Okay, this is the part that matters. The strategy is about what we're trying to do.
[18:55.460 --> 19:02.960]  Our approaches are how you can work with us to achieve these objectives. So got a few things
[19:02.960 --> 19:07.180]  that are worth talking about here. I already talked about one of them and that's the industrial
[19:07.180 --> 19:15.160]  control system joint working group. This is what is now a twice a year, that's biannual, twice a year
[19:16.820 --> 19:23.780]  now a virtual event, but it provides a free opportunity for anyone that's either getting
[19:23.780 --> 19:30.160]  into the control systems game or is in a jurisdiction that doesn't have travel funds,
[19:30.160 --> 19:33.620]  because those are always a challenge with, you know,
[19:34.760 --> 19:39.480]  the old days conferences. How do you get the money to go to Vegas? How do you get the money to go to
[19:39.480 --> 19:46.720]  Miami? The ICS JWG is about opening up a more inclusive environment so everyone can come
[19:46.720 --> 19:54.020]  together and learn something, even if it's at the 101 level or the 10 whatever remedial is,
[19:54.020 --> 20:00.200]  100 level, it doesn't matter. The point is we have the opportunity to bring more people
[20:00.200 --> 20:06.160]  into this community and that's what we're working towards with the ICS JWG. We had our most recent
[20:06.160 --> 20:12.220]  one in, I don't know, it was a month or so ago. We've got another one coming up in the fall.
[20:13.480 --> 20:20.320]  So that's point one, ICS JWG. So back to that kind of integrating the federal government with the
[20:20.320 --> 20:25.900]  community. We also have an effort called the Control Systems Interagency Working Group,
[20:25.900 --> 20:32.480]  the CISIWG. Now, it says interagency, but don't take from that that it's just government. Again,
[20:32.480 --> 20:41.040]  this is about bringing the executive leadership of the federal agencies that play in control systems
[20:41.040 --> 20:47.880]  together with leaders from industry, from the research community, from the vendor space,
[20:47.880 --> 20:52.360]  bringing everybody together and figuring out, okay, what are our opportunities,
[20:53.040 --> 20:59.600]  our threats? It's really, in part, we're doing a SWOT analysis. How are we strong together?
[20:59.600 --> 21:03.240]  Where are we weak together? What are our opportunities to work together? And then
[21:03.240 --> 21:10.800]  what are the threats? So coming out of the last year or so work of the control systems
[21:10.800 --> 21:18.700]  interagency working group, well, we figured a few things out. One is the government needs to be
[21:18.700 --> 21:25.780]  more coordinated together. Everybody does some part of this game. How do we do it in a more
[21:25.780 --> 21:30.980]  coordinated fashion? Well, one place we can really achieve, I think, some alignment and
[21:30.980 --> 21:37.480]  advancements is in standards. So if we get all the federal government players together on standards
[21:38.060 --> 21:41.540]  and working towards the same common purpose, we can really drive
[21:42.380 --> 21:49.880]  the advancements we're looking for. Also, we can help work to build the workforce of the future.
[21:50.080 --> 21:55.520]  Rather than doing bits and pieces here and there, let's have a collective approach to workforce and
[21:55.980 --> 22:04.060]  a lot of credit to NIST and their efforts in job coding, creating clarity in messaging,
[22:04.060 --> 22:12.640]  and hiring practices. So we have an opportunity there. And also on the investment alignment. So
[22:12.640 --> 22:18.420]  R&D, lots of different R&D efforts across the federal government. We should have a more unified
[22:19.080 --> 22:27.380]  R&D agenda that can get better uses out of our investments, maybe eliminate some
[22:27.900 --> 22:33.620]  duplication or redundancy in efforts. Always a good thing. Maybe put those saved dollars
[22:33.620 --> 22:41.700]  towards another effort. And then lastly, working towards a more unified, streamlined,
[22:41.700 --> 22:50.360]  coherent, and value-added incident response approach within the USG. And in part,
[22:50.360 --> 22:57.700]  what we want to do with this is make sure that we're taking the relevant information out of an
[22:57.700 --> 23:05.140]  incident response effort and sharing that information back out in a protected way for
[23:05.140 --> 23:09.480]  the victim. We're not in the business of re-victimizing a victim. But to the extent
[23:09.480 --> 23:17.060]  that we can extract insights from single or multiple incident responses, that's a good thing.
[23:17.060 --> 23:26.940]  And that's something that we've done recently. In fact, in the oil and natural gas sector,
[23:26.940 --> 23:32.420]  we issued an alert earlier this year. Now, we're not perfect yet. We're still working at this.
[23:32.520 --> 23:38.720]  But your feedback on all of our control systems products is always welcome. So go to cissa.gov,
[23:38.720 --> 23:46.500]  c-i-s-a.gov. Check out our control systems page and all of the products we have there, the alerts,
[23:46.500 --> 23:50.860]  the guidance, the advisories. Let us know where we're hitting the mark. Let us know what else we
[23:50.860 --> 23:56.620]  need to do. And then work with us through the Industrial Control Systems Joint Working Group.
[23:56.620 --> 24:00.920]  There are a few other things that are worth highlighting, particularly since we're doing
[24:00.920 --> 24:07.640]  this DEFCON safe mode thing, something you'll hear about. And that got kicked off last year,
[24:08.430 --> 24:16.860]  rather earlier this year, down in Miami, ICS for ICS, Industrial Control Systems for Incident
[24:16.860 --> 24:21.300]  Command System. Not sure if everybody knows what the Incident Command System is, but it's what the
[24:21.300 --> 24:26.140]  physical emergency responders use to coordinate their efforts, whether it's a hurricane, a
[24:26.140 --> 24:30.520]  wildfire. It's actually the firefighters out in California, the fire service, they're the ones
[24:30.520 --> 24:37.200]  that develop the Incident Command System. But it's got a great application for physical disasters.
[24:37.680 --> 24:45.000]  But I bet if we ever have one of those big time, larger scale, physical or cyber-enabled
[24:45.580 --> 24:52.060]  physical event, guess who's going to show up? The fire department, the emergency managers,
[24:52.060 --> 24:58.980]  state and local officials. There's absolutely a role in control system security and incident
[24:58.980 --> 25:05.360]  response for state and locals. But they also recognize, we recognize, that there are roles
[25:05.360 --> 25:11.280]  for the security community. So what we've got to be able to do is develop those frameworks,
[25:11.280 --> 25:15.320]  develop the frameworks that put everybody together, clarity of roles and responsibilities.
[25:15.320 --> 25:19.420]  So a lot of credit to Megan Sanford for her work there, and ICS for ICS,
[25:19.420 --> 25:23.260]  and looking forward to continuing to contribute to that effort.
[25:23.260 --> 25:31.540]  And of course, the best for last here, ICS Village. This year, we were proud to partner
[25:31.540 --> 25:36.440]  with the ICS Village. A lot of credit and thanks goes to Bryson Borg for his efforts.
[25:36.660 --> 25:42.480]  But the idea is we can do more together. That's why we're here. That's why you're seeing
[25:42.480 --> 25:47.520]  the feds show up at DEF CON, even if it's virtually. We were there last year,
[25:48.000 --> 25:54.300]  but we look forward to really growing out this and building out this partnership with the ICS
[25:54.300 --> 26:00.420]  Village and other villages. We're doing that in a couple ways. This year, we've got our
[26:00.420 --> 26:06.560]  Control Environment Laboratory Resource, or CELER, that is going to give simulated environments so
[26:06.560 --> 26:12.400]  that everybody can walk through a couple different scenarios, work on your blue team skills,
[26:13.340 --> 26:18.560]  and run some incident response. This is an effort that we think, again,
[26:18.560 --> 26:28.700]  plays to that democratizing industrial control systems. It's been a long day.
[26:28.700 --> 26:33.420]  Industrial control systems security. Again, democratizing, making it more open. If we can
[26:33.420 --> 26:40.740]  pull more resources out of the National Capital Region, out of specific locations out west,
[26:40.740 --> 26:46.080]  and then make them broadly available virtually, good for everyone. If we can put things on wheels
[26:46.080 --> 26:51.860]  and drive them around to various parts of the country, again, these are good things. That's
[26:51.860 --> 26:57.000]  what we're trying to accomplish here. A control systems ecosystem, security ecosystem, that is
[26:57.000 --> 27:02.600]  open and accessible to everyone. Whether you're in the private sector or you're a municipal water
[27:02.600 --> 27:07.860]  facility, everyone's got requirements. We have to be able to do this together.
[27:08.360 --> 27:14.360]  So the last thing I'll talk about before wrapping this one up is our role in vulnerability management.
[27:14.900 --> 27:23.180]  This has been hell year, I think, for the vulnerability managers out there. Six months
[27:23.180 --> 27:29.600]  of week after week of big vuln after big vuln. I was thinking at some point it's almost a race
[27:29.600 --> 27:34.680]  to the bottom, because think about it, you drop one vulnerability and somebody's probably going
[27:34.680 --> 27:41.340]  to drop one next week, and so you've got tops of seven days in the new cycle. But it's really
[27:41.340 --> 27:49.480]  stressing the teams that historically we haven't invested too much in. The vulnerability management
[27:49.480 --> 27:57.580]  side is one of the most important teams within any organization. We play a key role here in
[27:57.580 --> 28:05.940]  coordinating vulnerability disclosure. We fund and support the CERT Coordination Center, CERT-CC,
[28:05.940 --> 28:10.060]  up at Carnegie Mellon. We also fund the National Vulnerability Database
[28:11.980 --> 28:19.300]  at NIST. So between the CERT-CC CVE process and the National Vulnerability Database,
[28:19.300 --> 28:24.380]  two key resources for any network defendant or any vulnerability manager of understanding
[28:24.380 --> 28:30.940]  what's new, what's coming, and how do you defend against it. We also play a role again through that
[28:31.560 --> 28:37.600]  CERT-CC process where the private sector or a security researcher rather, if they identify
[28:37.600 --> 28:46.440]  something, we can help facilitate the conversation between the appropriate vendor. Now sometimes we
[28:46.440 --> 28:53.820]  don't need to play a role. In fact, we encourage programs, we encourage vendors to have vulnerability
[28:53.820 --> 29:00.960]  disclosure programs, to have as needed bug bounty programs. Again, have a healthy, vibrant
[29:01.620 --> 29:05.500]  ability to engage with the security researcher where you don't need the government,
[29:05.500 --> 29:10.420]  even if it's just fostering or facilitating a protected conversation. But that's not always
[29:11.140 --> 29:17.620]  how things are right now. That's not where some organizations are in their maturity
[29:18.300 --> 29:23.660]  of their own vulnerability disclosure practices. So we play a vital role. Last year, calendar year
[29:23.660 --> 29:35.400]  19, we processed and managed through our CBE process, 11,500 plus vulnerabilities. I think
[29:35.400 --> 29:41.900]  based on this year, we're probably going to exceed that. But that's a role we are happy to play.
[29:41.900 --> 29:48.000]  Again, we are going to continue to issue advice and guidance to organizations of all sizes and
[29:48.000 --> 29:55.880]  stripes. Guidance on how they can set up their own vulnerability disclosure programs. Just last
[29:55.880 --> 30:01.400]  week, we issued some guidance to our partners in the state and local election community about how
[30:01.400 --> 30:08.380]  they can set up vulnerability disclosure programs for their systems. And so it's not just about the
[30:08.380 --> 30:14.260]  code, the software they're coding or whatever. It's their implementations. If you find a vulnerability
[30:14.950 --> 30:21.260]  in a voter registration database, please, you know, first off, if you own that database,
[30:21.260 --> 30:25.800]  you need a process. But if you find that vulnerability, you need a way to report it
[30:25.800 --> 30:30.820]  in a coordinated manner so it can get closed out so that it's closed out before the bad guys get
[30:30.820 --> 30:37.920]  there. So vulnerability management is exactly where we are going to continue investing more
[30:37.920 --> 30:45.600]  broadly in the InfoSec space. And in fact, little known fact, this was supposed to be the year of
[30:45.600 --> 30:52.480]  vulnerability management. That was a theme we had. Little did we know that it was again, it was going
[30:52.480 --> 30:57.360]  to be vulnerability management hell year. But here we are. We're here. We're part of the team. Let us
[30:57.360 --> 31:04.620]  know what help you need. So I'm going to wrap this one up right now. Again, CISA is here as an advisor,
[31:04.620 --> 31:12.460]  as a partner, as a friend. Our objective, again, top line, democratizing industrial control system
[31:12.460 --> 31:19.160]  security at all levels. I don't care where you are. We want to work with you. We are here to
[31:19.160 --> 31:26.540]  provide support, resources, technical assistance, and the information you need to be able to protect
[31:26.540 --> 31:34.380]  your systems. But ultimately, it's not just about defending today's deployments. We've got to make
[31:34.380 --> 31:40.860]  sure that tomorrow's deployments are secure by design, secure by deployment. So with that, I'm
[31:40.860 --> 31:46.440]  going to wrap up these remarks, and I'm going to jump in a time machine, and I'm going to have a
[31:46.440 --> 31:50.680]  costume change and all that, and I think we're going to do some live Q&A. Thanks.
